In May 2018, the GDPR, or General Data Protection Regulation comes into effect. Leaving businesses less than one year to make the necessary changes to the way in which they operate and manage risk to ensure they fully abide by the new law.
The state of play
The status quo sees EU businesses fall under the umbrella of the EU Data Protection Directive – where Data Protection requirements are encoded in law separately within each of the 28 EU member states.
This can be a little bit of a headache for businesses who operate, or hold personal data in multiple EU countries.
Why the change?
The existing directive was written in 1995, long before the adoption of cloud-based technology for storage, use and disclosure of personal data, or the rise of social networks and other services that collect and process personal data in huge volumes.
The GPDR will modernize the law, making it clearer where personal data is located, by whom it is being processed and who is accountable for processing it. The GDPR aims to harmonize the rules across all member states, and bring them up-to-date for the digital era.
What you need to know
The GDPR will hand greater control of personal data back into the hands of the individual. Allowing the individual a number of enhanced rights including access to their personal data, the ability to withdraw it and the right to be forgotten. It also strengthens the requirements around gathering data with greater emphasis on when you can collect and process personal data and proving that an organisation is meeting its obligations to process the data appropriately and securely.
The law not only applies to businesses in the EU, but any organization holding or transporting data relating to persons in the EU – therefore it has the potential to impact any business, in any country.
For many businesses, they must also appoint a specific Data Protection Officer, who must report directly to the highest level of management and must not carry out any other tasks that could result in a conflict of interest.
Non-compliance penalties could lead to fines of up to €20m or 4% of a company’s global annual turnover and be applied to both the organisation that controls the personal data as well as any organisations that it engages to process personal data on its behalf.
The key changes
- The GPDR will be applied across all 28 member states including the UK
- It uses an enforcement regime, as opposed to status quo of self-regulation and education
- Large fines for non-compliance, up to €20m or 4% annual income (whichever is larger)
- Stricter rules around gaining consent for data collection, data usage and marketing
- Individual right to access personal data, correct it and withdraw it
- Individual right to claim compensation
- Compensation claims will be made easier and simpler for consumers
Brexit and the GDPR
With the UK proffering its notice to leave the EU earlier this year, it might be easy to think the regulations will not apply to UK businesses post Brexit. This is not the case.
The GDPR will impact all UK businesses as of May 2018 and, even if repealed later, will continue to apply to UK businesses that offer services to the EU market, irrespective of whether your business is solely based in the UK and holds all of its data there.
It is also almost certain that although the UK will be separating from the Union it will fully adopt the GDPR to smooth future trade and service deals that involve personal data flows. Without such, offering services to the EU would be off the table.
In a nutshell
If you have not already acted, now is the time, as you will likely need to make changes to business processes and policies, introduce new roles and reporting procedures, and modify the way you engage with customers, and collect and process their personal data.
Wayin has an in-house data protection specialist to ensure that we meet the requirements for GDPR both in terms of personal data we process as part of our business as well as in our role as a data processor on behalf of our customers. We think that’s the standard and are happy to set it.